Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent

+

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious robot-agents.

+

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of [http://en.wikipedia.org/wiki/Turing_test "turing test"] that could be understood by human users but not by malicious software agents.

'''How gets defeated'''

'''How gets defeated'''

Line 65:

Line 66:

=== TAN (Gridcard, Scratch Card) ===

=== TAN (Gridcard, Scratch Card) ===

−

=== OTP (Time Based, Click Based) ===

+

=== OTP (Time Based, Click Based) ===

+

+

'''Risk Evaluation:'''

+

[[File:otp_token.png|thumb|alt=Basic Otp Token|Basic Otp Token]]

+

Risk Evaluation:

+

Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:

+

* Tokens are valid for a very short period of time. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window . This involves using Instant Messaging and user monitoring that leverages additional costs at their side.

+

* This authentication measure may need UI redressing or automation to be bypassed, introducing important anomalies that can be detected.

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.

+

Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

+

+

'''How gets defeated'''

+

+

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.

+

As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

=== CAP (Random Nonce, Challenge Response) ===

=== CAP (Random Nonce, Challenge Response) ===

Line 74:

Line 94:

== Appendix B: Banking Malware Families (Active in 2012) ==

== Appendix B: Banking Malware Families (Active in 2012) ==

+

+

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

* [http://www.damballa.com/downloads/r_pubs/RN_SpyEye-Kicked-to-Curb_Bodmer.pdf SpyEye being kicked to the curb by its customers?]

+

+

+

Tracking SpyEye:

+

+

* [https://spyeyetracker.abuse.ch/ SpyEye Tracker]

+

=== Zeus ===

=== Zeus ===

Line 134:

Line 190:

Despite the fact that ZeuS Kit is no longer developed, infection statistics

Despite the fact that ZeuS Kit is no longer developed, infection statistics

that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]

that can be checked here [https://zeustracker.abuse.ch/statistic.php ZeuS Statistics]

−

clearly demonstrates that this trojan has a remarkable diffusion.

+

clearly demonstrates that this Trojan has a remarkable diffusion.

The ZeuS Kit functionality is based on MiTB attacks, an encrypted

The ZeuS Kit functionality is based on MiTB attacks, an encrypted

Line 146:

Line 202:

2011 was also the year of ZeuS Source Code leak, this essentially lead to a

2011 was also the year of ZeuS Source Code leak, this essentially lead to a

−

number of new ZeuS Variants, here the most significative:

+

number of new ZeuS Variants, here the most significant:

+

+

* '''ICE IX'''

+

* '''ZeuS P2P Edition'''

+

* '''Citadel'''

+

* '''GameOver'''

−

* ICE IX

−

* ZeuS P2P Edition

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet

and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able

and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able

to interact with other victims (nodes) and get Updated Binaries and

to interact with other victims (nodes) and get Updated Binaries and

−

Configurations.

+

Configurations.

+

+

+

[http://krebsonsecurity.com/2012/01/citadel-trojan-touts-trouble-ticket-system/ Citadel] is a variant appeared in January 2012 that supports grabbing on Google Chrome Browser.

+

+

+

[http://threatpost.com/en_us/blogs/new-zeus-variant-means-gameover-unsuspecting-users-010912 GameOver] variant starts a DDoS Attack against the target bank at the same time it commits fraud operation to distract bank's attention.

ZeuS Mitmo (Man in the Mobile) is smartphone version of Zeus. Zeus Mitmo combines SMS and the Web attack vector to attack online banks via smartphone. Many banks are using SMS as second authentication.

+

ZeuS Mitmo is designed to steal mTANs, and computers infected with a ZeuS Mitmo trojan will inject a "security notification" into the Web banking process, attempting to lure the user into providing their phone number. If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

+

+

Features List:

+

*'''Gathering system information on compromised system and sends it to dropzone'''

+

*'''Downloading configuration that will be used from defined domain'''

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

+

+

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

+

+

+

Will follow a quick summary of the Trojan Functionalities:

+

+

*'''Intercepts GET and POST requests'''

+

*'''HTML Code Injection via MiTB Approach'''

+

*'''Session Hijacking'''

+

+

+

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

Trojan Cridex became a well spreaded threat for Home Banking activities in the first period of 2012. The malware is usually delivered via malicious e-mails that contains shortened links to BlackHole Exploit Kit websites.

Man in The Browser performed by Cridex targets the following browsers:

+

+

*'''Firefox'''

+

*'''Internet Explorer'''

+

+

The malware communicates with C&C Servers via SSL in order to upload stolen credentials and receive commands or configuration updates. Cridex also has a modular structure, this mean that C&C Server could upload additional functionalities to the running bots.

+

+

One of the most interesting components is the Spamming/Propagation module, that's able to create new email accounts that will be used to spread Cridex itself.

+

+

Creating new e-mail accounts now implies also the necessity to solve CAPTCHAs, and one of the most interesting features of Cridex is the ability to integrate itself with a CAPTCHA Breaking Server.

+

+

References:

+

+

* [http://community.websense.com/blogs/securitylabs/archive/2012/01/30/trojan-caught-on-camera-shows-captcha-is-still-a-security-issue.aspx Trojan caught on camera shows CAPTCHA is still a security issue]

Tinba stands for TinyBanker, definition derives from the reduced dimensions, approximately 20KB, of the binary. Tinba relies upon the MiTB (Man in The Browser) attack and has important level of invisibility to AntiVirus technology.

+

+

The malware injects itself in the following system processes:

+

+

* explorer.exe

+

* svchost.exe

+

+

After the injection, Tinba looks for the execution of processes related to most widely used browser, such as InternetExplorer and Firefox. The infrastructure Tinba is typical of a classical HTTP botnet. The binary has a list of four malicious servers used to upload stolen credentials, communication is encrypted with RC4 algorithm.

+

+

The configuration management system relies upin two files:

+

+

* cfg.dat

+

* web.dat

+

+

The syntax of the configuration is identical to the ZeuS one. It 's also interesting to note that Tinba can modify the HTTP response header X-FrameOptions in order to introduce elements dangerous such as external links Supported by HTTPS.

Gataka is a banking trojan with an architecture similar to SpyEye emerged in the first part of July 2012. The binary file is equipped with an encrypted configuration file which contains the HTML/JS code to be injected in the target bank, additionally the configuration contains a modular plugin-based system that implements a wide range of malicious features.

+

+

The trojan injects itself into the system process Explorer.exe and then activates the persistence on the system by inserting adding a registry key entry.

+

+

From an architectural point of view, like SpyEye, plugins are downloaded from the C&C server and are inivocally identified by an ID. Follows a summary of identified plugin (information is taken from ESET article - check references for additional details):

+

+

*'''HermesCore''': This plugin is automatically included in all versions of Gataka and has a fundamental function, it's responsible of communication activities. The addresses of the servers are encoded in Base64. HermesCore can finally run arbitrary executables sent by the botmaster.

+

*'''Interceptor''': As the name suggests, this plugin takes care of the interception of traffic network by hooking API connect() getpeername() closesocket(). The plugin acts essentially as proxy that monitors inbound/outbound traffic, and in case of encrypted communications (HTTPS) Interceptor is able to use a fake certificates to perform a MiTM attack. Interceptor is able to change at run-time the certificate control functions of several browser in such a way to make the entire process even more invisible to the victim.

+

*'''NextGenFixer''': This plugin acts as a URL filter able to perform certain functions when a specific address is typed by the user.

+

*'''WebInject''': This plugin takes care of injecting malicious HTML/JS code into the target page, as well able to make a video of the browsing session. WebInject uses NextGenFixer to determine the URL typed by the victim.

+

*'''HttpTrafficLogger''': Make a log of browsing the victim.

+

*'''SocksTunnel''': Implements a SOCKS server such a way to exploit the infected machine for anonymous browsing activities.

Define the path to the targets (Transition graphs)

Apply trust boundaries (security measures)

Define the weaknesses of the security measures adopted

Actually Banking Malware families can bypass the vast majority of the world most secure authentication. How? The answer is simple: by tailoring an appropriate attack on the specific authentication schema with a bit of social engineering. Malware Authors know that the weakest link most of the times is the user himself.

TextField Static Password

Risk Evaluation:

Vulnerable to vast majority of all Banking Malware families in their default configuration

Static Password

Description

A password is a secret word or string of characters that is used for authentication, and is the world most used and simplest way of authenticating a user to a computer. “Static” means that Password does not change over time, unless manually updated. Textbox input field is the HTML element were password is inserted and this element is compatible with HID (Human Input Devices) such as hardware keyboards and Virtual Keyboards.

How gets defeated

Almost All banking malware can automatically log passwords using two components: Keylogging and Form Grabbing. A software Keylogger component can use a number of very different techniques, because operative systems offer many different ways to know which key is pressing a user. Even if this component seems very powerful, it has the disadvantage of not logging the Clipboard. Users may copy and paste passwords for simplicity or security reasons: many password wallets suggest to use this approach (e.g. KeePassX ). For this reason Banking Malware Authors prefer to log web based credentials using form grabbing components instead of keyloggers: from Wikipedia “this method intercepts the on submit API in browsers and collects web form data before it passes over the internet.”.
Since FormGrabbing is actually used by any major Banking Malware Family (e.g. Zeus, Spyeye, IceIX etc.) “text field” static password does not represent a secure way of authentication. In addition Malware families can automatically log any password field without using any particular configuration.

Javascript Keyboard

Risk Evaluation:

Vulnerable to vast majority of all Banking Malware families with a minimal configuration of the malicious agent. This solution alone does not give a substantial improvement in terms of security comparing it to the Password TextBox input, however attacker takes more time in analyzing puzzled screen-shot passwords so it's a valid approach in terms of defense in depth.

Javascript Keyboard

Description

Javascript Keyboard was introduced more than a decade ago in response to Keylogging and Form Grabbing techniques used by Trojan Stealers. Javascript Keyboard works by creating a virtual keyboard on the screen with a dynamic layout; the random disposition of the keys represent a sort of "turing test" that could be understood by human users but not by malicious software agents.

How gets defeated

Back in year 2002, after a couple of years, Malware Authors realized that they could visually grab images of the clicked key pressed (click area grabbing) or to video record the sequence of key pressed. "Click Grabbing" feature was born and with a minimal configuration was possible to defeat javascript password in a standard and efficient way. This kind of attack simply stores the information remotely for a subsequent interpretation by a human attacker.

Behavior Based Authentication

TAN (Gridcard, Scratch Card)

OTP (Time Based, Click Based)

Risk Evaluation:
Basic OTPs are vulnerable to HTML Injection and to other more sophisticated techniques, but give to the bank the following important improvements in terms of security:

Tokens are valid for a very short period of time. Attackers need to engage human assistance to successfully abuse the compromised tokens in the valid time-window . This involves using Instant Messaging and user monitoring that leverages additional costs at their side.

This authentication measure may need UI redressing or automation to be bypassed, introducing important anomalies that can be detected.

Redressing Attack with custom WebInject

Description

A one-time password (OTP) is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. OTPs are difficult for human beings to memorize. Therefore they require additional technology in order to work and this technology may be implemented in software tools or by using external hardware devices (Hardware tokens). Basic OTPs are based on cryptographic One-Way Algorithms and initialized with a different key per each user to avoid impersonation attacks. In addition each token usage is blacklisted and cannot be used a second time to avoid replay attacks.
Since basic OTP standards do not have a direct communication with the remote server, they need indirect standards for assuring synchronization with the remote infrastructure. Synchronization can be achieved on time-synchronization between the authentication server and the client providing the password (OTPs are valid only for a short period of time) or computing the number of previously generated passwords and set a range of valid passwords (if the user press to often the button the device will go out of sync).

How gets defeated

Even if this technology seems very resilient against malware attacks, it doesn't! Basic Otps can be defeated very easily with User Interface redressing. This attack is accomplished using the infamous features called WebInjects that permit to inject arbitrary HTML into the original Bank Login pages.
As we previously said, the Token is valid for a single transaction and is blacklisted after the first usage. Malware attackers will never let the token to arrive at the bank, so the bank can not blacklist that information. To defeat time restriction window, they also may make use of Instant Messaging plugins to have a real time communication of the token to the attacker.

CAP (Random Nonce, Challenge Response)

SMS Challenges

MSISDN (Caller-ID Authentication)

Appendix B: Banking Malware Families (Active in 2012)

Taken as inspiration from Marco Morana's Presentation and from other sources (e.g. slides 26-30 The Bank in the Browser Presentation - G. Fedon ), here is a quick summary of Banking Malware features updated as of 2012.

Schema summarizes every banking trojan by giving the following informations:

Attack Capabilities

Type

Attack Capabilites describes the features of the involved trojan, and immediately below the technique used to implement the given feature.

HTTP Injection

Browse Redirect

Form Grabbing

Stored Password Theft

Keystroke Logging

Bypass MFA

ScreenCapture / VideoCapture

Certificate Theft

Install Backdoor

Instant Message

Type field describes what kind how the malware operates:

Automatic

Manual

Spyeye

SpyEye is considered the successor of ZeuS and globally considered as
the most advanced Banking Malware kit actually used.

This kit was conceived as botnet easy to manage via a web based control panel.

SpyEye relies upon MiTB ( Man in The Browser ) attacks to accomplish
its task, it provides a custom Encrypted Configuration File where
there are:

2011 was also the year of ZeuS Source Code leak, this essentially lead to a
number of new ZeuS Variants, here the most significant:

ICE IX

ZeuS P2P Edition

Citadel

GameOver

The most interesting variant is the P2P one, where ZeuS gained P2P Botnet
and DGA (Domain Generation Algorithm) capabilities, that make ZeuS able
to interact with other victims (nodes) and get Updated Binaries and
Configurations.

Citadel is a variant appeared in January 2012 that supports grabbing on Google Chrome Browser.

GameOver variant starts a DDoS Attack against the target bank at the same time it commits fraud operation to distract bank's attention.

Zeus Mitmo

ZeuS Mitmo (Man in the Mobile) is smartphone version of Zeus. Zeus Mitmo combines SMS and the Web attack vector to attack online banks via smartphone. Many banks are using SMS as second authentication.
ZeuS Mitmo is designed to steal mTANs, and computers infected with a ZeuS Mitmo trojan will inject a "security notification" into the Web banking process, attempting to lure the user into providing their phone number. If a phone number is provided, the user will receive an SMS link pointing to the mobile component, ZeusMitmo.

Carberp

After ZeuS and SpyEye the third advanced Malware Banking Trojan is Carberp, that during its evolution reached
a great level of complexity, by mixing good bypassing and stealth countermeasures with ability to steal via Browser
Code Injection online Banking Credentials.

Clampi

Clampi (also known as Ligats, Ilomo or Rscan) is a Trojan designed to steal credentials from infected systems.
Its main purpose is to steal online banking credentials to conduct the unauthorized transfer of funds from hacked accounts to
groups likely in Eastern Europe or Russia.

It has seven modules:

SOCKS—A socks proxy.

PROT—Steals PSTORE credentials, which typically contains credentials saved when using a Web browser.

Shylock

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Main ability of this malware is to inject itself inside explorer's code. Also it incorporates watchdog that prevents removing and rootkit functionality to hide itself.

Features List:

Gathering system information on compromised system and sends it to dropzone

Oddjob

Oddjob Financial Trojan has been publicly reported for the first time 22 February 2011, the peculiar characteristic of Oddjob is the ability to keep open Victim's Session even after they Logout, this implies that Criminals will be able to steal money by Impersonating the Victim by tapping the Session ID.

Oddjob works by injecting malicious code into Internet Explorer and Firefox browsers, the code is contained in custom configuration files.

Will follow a quick summary of the Trojan Functionalities:

Intercepts GET and POST requests

HTML Code Injection via MiTB Approach

Session Hijacking

Session hijacking is performed by changing Logout functionality via malicious html/js injected code, victim will inadvertently keep session open and fraudsters will commit the money transaction.

Cridex

Trojan Cridex became a well spreaded threat for Home Banking activities in the first period of 2012. The malware is usually delivered via malicious e-mails that contains shortened links to BlackHole Exploit Kit websites.

Here a quick summary of Cridex's features

Download and Execute Files

Upload and Search Files

Steal local Certificates

Configuration driven MiTB Capabilities that targets Banking Users

Man in The Browser performed by Cridex targets the following browsers:

Firefox

Internet Explorer

The malware communicates with C&C Servers via SSL in order to upload stolen credentials and receive commands or configuration updates. Cridex also has a modular structure, this mean that C&C Server could upload additional functionalities to the running bots.

One of the most interesting components is the Spamming/Propagation module, that's able to create new email accounts that will be used to spread Cridex itself.

Creating new e-mail accounts now implies also the necessity to solve CAPTCHAs, and one of the most interesting features of Cridex is the ability to integrate itself with a CAPTCHA Breaking Server.

Tinba

Tinba stands for TinyBanker, definition derives from the reduced dimensions, approximately 20KB, of the binary. Tinba relies upon the MiTB (Man in The Browser) attack and has important level of invisibility to AntiVirus technology.

The malware injects itself in the following system processes:

explorer.exe

svchost.exe

After the injection, Tinba looks for the execution of processes related to most widely used browser, such as InternetExplorer and Firefox. The infrastructure Tinba is typical of a classical HTTP botnet. The binary has a list of four malicious servers used to upload stolen credentials, communication is encrypted with RC4 algorithm.

The configuration management system relies upin two files:

cfg.dat

web.dat

The syntax of the configuration is identical to the ZeuS one. It 's also interesting to note that Tinba can modify the HTTP response header X-FrameOptions in order to introduce elements dangerous such as external links Supported by HTTPS.

Gataka

Gataka is a banking trojan with an architecture similar to SpyEye emerged in the first part of July 2012. The binary file is equipped with an encrypted configuration file which contains the HTML/JS code to be injected in the target bank, additionally the configuration contains a modular plugin-based system that implements a wide range of malicious features.

The trojan injects itself into the system process Explorer.exe and then activates the persistence on the system by inserting adding a registry key entry.

From an architectural point of view, like SpyEye, plugins are downloaded from the C&C server and are inivocally identified by an ID. Follows a summary of identified plugin (information is taken from ESET article - check references for additional details):

HermesCore: This plugin is automatically included in all versions of Gataka and has a fundamental function, it's responsible of communication activities. The addresses of the servers are encoded in Base64. HermesCore can finally run arbitrary executables sent by the botmaster.

Interceptor: As the name suggests, this plugin takes care of the interception of traffic network by hooking API connect() getpeername() closesocket(). The plugin acts essentially as proxy that monitors inbound/outbound traffic, and in case of encrypted communications (HTTPS) Interceptor is able to use a fake certificates to perform a MiTM attack. Interceptor is able to change at run-time the certificate control functions of several browser in such a way to make the entire process even more invisible to the victim.

NextGenFixer: This plugin acts as a URL filter able to perform certain functions when a specific address is typed by the user.

WebInject: This plugin takes care of injecting malicious HTML/JS code into the target page, as well able to make a video of the browsing session. WebInject uses NextGenFixer to determine the URL typed by the victim.

HttpTrafficLogger: Make a log of browsing the victim.

SocksTunnel: Implements a SOCKS server such a way to exploit the infected machine for anonymous browsing activities.